This week’s Let’s Talk explores how businesses can verify their information is actually safe when using third-party platforms.
As more Australian small businesses move their operations to cloud-based platforms and adopt AI tools, questions about data security and privacy protection have become increasingly urgent. In this week’s edition of Let’s Talk, our experts explore how small businesses can verify their data is actually safe when using cloud-based tools and AI platforms.
Let’s Talk!
Rakesh Prabhakar, Country Head, Australia & New Zealand, Zoho
When businesses move to cloud tools and AI platforms, conversations usually focus on two-factor authentication and ISO certification. Rarely does it get to the more fundamental questions.
Our research found that one in three Australian businesses suffered a confirmed cyberattack in the past year. 74% have no complete visibility over who can access the data within their own systems, and more than half of ANZ organisations under 250 employees have no dedicated security team managing any of it.
Knowing whether your data is safe starts questions for your vendor: Where does your data physically sit? Is it subject to Australian law or the jurisdiction of wherever the vendor is headquartered? Does the platform generate revenue from advertising or data sharing? Reputable vendors should answer those questions without hesitation.
Beyond vendor selection, three things make a practical difference. A zero trust approach means no user or device gets access beyond what their role genuinely requires. Building security into every layer means your vendor is securing infrastructure, platform and application layers, not leaving gaps for you to find later. And security feedback loops, audit trails, access logs, and anomaly alerts, mean problems surface early rather than after the fact. Cloud security is a shared responsibility, but choosing the right vendor determines how much of that burden falls on you.
Frank Skiffington, Head of ANZ, Zoom
Today, cloud-based tools and AI platforms are central to business operations, helping reduce admin tasks, speed up workflows, and improve customer experience by turning conversations into outcomes. Appropriate configuration of these platforms is critical to supporting sound data handling practices. Weak governance, default settings not tailored to organisational needs, or ambiguous usage policies can leave organisations more vulnerable to cyberattacks, data breaches, or unintended data sharing.
Practical configuration for optimal protection starts with a few key questions: If you’re holding sensitive meetings, should end-to-end encryption be enabled? Do you understand what your AI tools can access, store, or learn from your data? Have you reviewed your default settings, permissions, and access controls recently?
For smaller businesses with limited IT resources, consider whether protections are built directly into the platforms being used. Solutions such as Zoom AI Companion offer security features to support configuration management, including encryption capabilities and admin controls for AI features. These tools allow businesses to manage user permissions, while data retention controls, another key feature, define how long generated data is stored and where it is processed.
Ultimately, risk sits in how tools are set up and used. The key question for small businesses isn’t just whether the platform is secure, but whether it’s configured securely for the way your business actually operates.
Adrian Towsey, VP of Commercial Sales for APJ, Datadog
Cloud-based tools are already essential infrastructure for businesses, and AI platforms are quickly becoming the same. The uncomfortable truth is confidence in data security comes from what organisations can see, prove, and enforce.
Start with contractual clarity. Before signing with any platform or provider, legal and security teams need explicit answers: “Where does the data live? How long is it retained? Is it used to train models?” If the contract is vague on any of these points, treat that ambiguity as a red flag.
Next, build observability into data flows – you cannot protect what you cannot see. Organisations need full visibility into which applications touch their data, which third-party services ingest it, and what, if anything, leaves their perimeter. Blind spots are technical gaps with real business consequences.
Then adopt a zero-trust security posture by default. Every AI tool and cloud integration should be treated as untrusted until proven otherwise. That means least-privilege access controls, continuous authentication, and real-time threat detection on data access patterns, which enables teams to identify and respond to suspicious behaviour as it happens.
Finally, audit relentlessly. If an organisation cannot replay exactly who accessed what data and when, there is no defensible security story. Data safety is a discipline in the cloud era – treat it as one.
Tony Burnside, VP and Head of APAC, Netskope
There are two key aspects to consider: the vendor’s security standards, and your own. In general, major cloud applications, and productivity and collaboration suites, offer solid embedded data protection, but the myriad of more niche AI and cloud tools warrants attention. Before deploying a tool, ask vendors how customers’ data is stored, processed, secured, who has access to it, and if it’s used to train algorithms. If they are serious about data ethics, they will be transparent, but if they seem hesitant or finding information is hard, it’s a red flag.
You also need your own safety nets. Regularly sharing good data handling practices with employees is non-negotiable and can go a long way, especially with new data loss vectors like generative AI or AI agents constantly emerging. But humans are fallible, and SMBs that can afford it should consider security tools such as Data Loss Prevention solutions that can keep sensitive data safe should employees make a mistake.
Data protection is complex in the AI age, and SMBs might not want to do it alone. Managed IT or Security Service Providers are relevant sources that can provide bespoke advice about the appropriate security mix based on your situation and needs.
Jason Duerden, Area VP, Australia and New Zealand, SentinelOne
If you cannot clearly identify which cloud and AI tools your staff are using, what data those tools can access, and whether unusual activity could be detected, your business data is not as safe as it should be.
For small businesses, the risk often stems from the staff; employees entering sensitive information into unmanaged AI tools, personal accounts being connected to business systems, third-party apps being granted more access than needed, or API keys being exposed in shared documents, code repositories or chat tools.
Our latest research found exposed AI access credentials, or ‘‘secrets,” including OpenAI and Azure OpenAI API keys, increased by approximately 140% in one year. These credentials allow applications to connect to AI platforms, so if they are leaked or misused, they can create a direct path into sensitive business systems and data.
The practical response is to embrace AI usage, with guardrails. Businesses should first ensure visibility into what AI services are being accessed. Next, create an approved list of AI and cloud tools, set a clear policy on what data can and cannot be entered, and prevent staff from using personal accounts for business workflows. AI credentials should be treated like passwords, with centralised management, limited permissions and regular reviews.
Business leaders should also check which apps are connected to their cloud systems and monitor for unusual behaviour across accounts, credentials and integrations. Data safety is about making sure every tool has clear ownership, appropriate access controls and monitoring oversight.
Steve Hunter, Director Engineering – APAC, Arctic Wolf
Australian SMEs have embraced cloud computing and AI tools to drive efficiency, reduce costs, and remain competitive. But with that adoption comes two business-critical challenges: keeping data safe and meeting regulatory requirements.
Knowing your data is safe requires moving from passive assumption to active validation. Start with visibility, if you cannot see who is accessing your data, when, and from where, you cannot protect it. Audit for misconfigurations, enforce access controls, and ensure data is encrypted and continuously monitored.
Next, examine your AI tools specifically. Are employees using unsanctioned platforms? Is proprietary data being fed into public AI systems? These are not hypothetical risks. Our research found 60% of IT leaders and 41% of end users admit to sharing confidential information with tools like ChatGPT.
Staying secure requires educating people, not just deploying technology. Employees need role-specific training and must feel safe reporting suspicious activity. Pair this with 24/7 continuous monitoring so threats are contained in minutes, not months.
AI supports your defences, but cannot replace human judgement. Small businesses should look for all-in-one solutions that combine endpoint, cloud, and identity protection with automation, reducing tool sprawl and cost.
Alex Drag, Head of Product Marketing, Kong
Agents are making autonomous decisions, orchestrating complex workflows, and interacting with dozens of services in real time. But most enterprises are trying to support this new paradigm with legacy API and integration infrastructure designed for a different era — resulting in fragmented tools, siloed governance, and manual processes that can’t scale.
What’s needed is a new kind of secure platform: one purpose-built for the demands of the agentic AI era.
Instead of giving agents direct, unfettered access to APIs, you should expose them through an AI-native infrastructure platform with native AI protocol support, dynamic access controls, token management policies, and Agent Identity Management. The platform should act as an intermediary, ensuring that agents can only access specific models, tools, and context they are authorized for, and that all data flowing back to the agent is filtered for sensitivity.
Governance is where enterprise AI initiatives live or die. Without proper controls, agents become security liabilities and compliance nightmares. With too much friction, innovation grinds to a halt. Proper governance balances these tensions through:
- Unified policy enforcement across all traffic types: API, event, LLMs, MCP, and Agent-to-Agent (A2A)
- Granular access controls determining which agents can access which tools and data
- Prompt and response inspection for sensitive data protection and compliance
- Full observability into agent behaviors, decisions, and costs
- Audit trails that satisfy regulatory requirements
- Cost guardrails preventing runaway inference spending.
Critically, governance must be centralized but not centrally bottlenecked. Platform teams need visibility and control; development teams need autonomy to ship. The right architecture makes both possible.
Julian Vido, AI Safety Lead, MYOB
For Australian SMEs, AI has quickly become an everyday tool. While adoption is spreading across all functions, governance continues to lag. MYOB’s latest Business Monitor found 84% of SMEs have no responsible AI policy in place, potentially putting their data at risk.
If you’re a business owner starting out on your responsible AI journey and trying to work out whether your data is safe, here are three questions to get you started.
What is AI doing with your data? Before you sign-up to any new software, you need clear and contracted answers to four things: Is my data used to train your models or anyone else’s? Where is my data stored and processed? What happens to my data if I leave? And how quickly will you tell me if something goes wrong?
What AI is running that you don’t know about? From a data-security perspective, the use of unvetted AI is particularly high-risk. To prevent sensitive data being entered by staff into free chatbots, you need to provide access to secure and approved AI tools. Just as importantly, audit the software you already use for unknown AI features. Without your knowledge, your data may already be flowing through them. Decide which tools and features are approved for which kinds of work, write it down, and make sure your team knows.
Who is responsible for keeping the standards in place? Keeping your data safe is an ongoing job and it needs an owner. Name someone in the business who is accountable for data security, vetting AI before adoption, and making sure the rules are being followed.
The National AI Centre now provides practical guidance to help businesses adopt AI responsibly, including easy-to-use AI assessment templates. At MYOB, our approach aligns to this guidance, embedding governance, oversight and accountability into AI features from the outset.
Cynthia Lee, APAC Vice President, Delinea
Businesses can feel more confident that their data is safe in cloud and AI platforms when they have visibility and control over who can access it, how it’s being used, and whether suspicious behaviour can be detected early.
For most companies, the biggest risk is often not the technology itself, but uncontrolled identities and permissions across multiple cloud tools.
As AI adoption accelerates, many businesses are connecting sensitive company information to platforms without any clear identity governance. That creates opportunities for unauthorised access, accidental data exposure, or employees oversharing information through AI tools. Strong identity security, including least-privilege access and continuous authorisation for AI tools, is becoming essential.
Businesses should also look beyond vendor marketing and ask practical questions: who can access my data, where is it stored, what audit trails exist, and how quickly can threats be detected? Keeping sensitive data secure ultimately comes down to control, visibility, and accountability.
Jay Patel, Founder & CEO, Vrinsoft Technology
This is usually where I ask teams to start when they think about cloud adoption or AI integration, because data security begins with ownership. The provider may operate the platform, but responsibility for your data, access policies, and governance still sits with you. That distinction matters more than most businesses realise.
One practical way I evaluate risk is by looking at three things: where the data is stored, who can access it, and whether the vendor has rights to use that data for model training or any secondary purpose. The third point deserves extra attention because the answer is often buried inside product terms and service agreements.
My rule is simple. If your team cannot trace the data journey from ingestion to storage, retention, and deletion, then the platform is not ready for sensitive business information.
AI may be moving quickly, but our approach has stayed consistent for years: client data should remain controlled, traceable, and accountable at every stage. Data security and sovereignty are becoming board-level discussions across Europe and beyond, and every business leader should be asking these questions before signing any contract.
Zak Menegazzi, APJ Director, Armis from ServiceNow, Armis
The reality is that 100% flawless cybersecurity defence is a myth in today’s dynamic threat landscape. The goal is risk mitigation rather than absolute elimination, assuming vulnerabilities exist in every ecosystem and striving for proactive resilience.
The Australian Cyber Security Centre (ACSC) recently warned that advanced AI systems, like Anthropic Claude Mythos, are being used by threat actors to uncover decades-old vulnerabilities and rapidly chain together low-severity vulnerabilities to orchestrate devastating infrastructure compromises.
But external threats are only half the battle. Inside organisations, AI-assisted “vibe coding” is introducing massive technical debt. Armis Labs tested leading generative AI models and revealed a 100% failure rate in consistently generating secure code. As developers push code to production faster than ever, they are inadvertently embedding high-risk vulnerabilities, like memory buffer overflows and missing resource limits, deep into enterprise architectures.
Reactive cybersecurity is no longer adequate. Defending the environment and protecting your business data now requires a radically modernised, AI-native approach. Businesses must look for a platform approach that manages detection to remediation end-to-end, and for any kind of exposure. Periodic scanning is a legacy mindset, obsolete in a world where vulnerabilities can be discovered, exploited and weaponised within minutes. Defensive systems must operate in a “continuous loop,” where new threats are immediately cross-referenced against the live asset inventory. Only with this innovative and proactive cyber exposure management can businesses become self-healing enterprises ready to face the next generation of AI-driven threats.
Craig Stockdale, Managing Director ANZ, Wasabi Technologies
As businesses ramp up their use of cloud platforms and AI tools, their data has never been more valuable, or more at risk. Cybercriminals are increasingly targeting cloud environments with stolen logins, so data security is now a core part of business resilience and continuity.
Businesses should start by looking at how data is being protected at every layer of the tech stack. Security must go further than passwords, and data infrastructure providers should include essential protection features. For example, cloud storage with multi-factor authentication, encryption, tight access controls, and immutable data backups attackers can’t change or delete.
It also pays to understand whether data can be exposed through AI training, third-party integrations, or connected apps. Businesses should be selective about choosing a provider who is clear about where their data lives, who can access it, and what governance is in place.
One of the emerging best practices is maintaining a secure, isolated copy of critical data that is hidden from ransomware attackers even if primary systems are compromised. For example, Wasabi’s Covert Copy, which includes multi-user authentication approval, adding a last layer of protection and confidence that you can recover your data if something goes wrong.
Charles Liu, Marketing Director, Cubic Promote
Most small businesses are asking the wrong question. It’s not “Is AI safe?” It’s “Am I being careless with my data?” Cloud and AI platforms are tools. Some are secure. Some are disasters waiting to happen. The real risk is businesses blindly uploading client info, financials, or internal documents without understanding where that data goes.
My advice? Treat your business data like cash. Only use reputable platforms. Turn on two-factor authentication. Limit staff access. Read the privacy policy, even if it’s boring. And if an AI tool says it trains on your data by default, think twice before dumping sensitive information into it.
Also — your team matters more than the software. One careless employee clicking the wrong link causes more damage than most hackers.
The businesses that stay safe are the ones that stay alert. Complacency is what gets companies burned.
Maria Kathopoulis, CEO & Chief Marketing Officer, UNTMD
Most businesses assume their data is safe because the platform is well known.
That assumption is not sufficient.
Start with access control. Who can see what. If your internal permissions are loose, the risk is internal before it is external.
Then assess data handling policies. Does the platform use your data to train models. Is it stored, anonymised, or retained. If you cannot answer this clearly, you do not understand your exposure.
Third, check compliance standards. Look for certifications like ISO 27001, SOC 2, or equivalent. These do not guarantee safety, but they indicate maturity in security practices.
Fourth, understand where your data lives. Jurisdiction matters. Data stored across borders may be subject to different legal frameworks.
Fifth, evaluate integration risk. Most breaches happen through connected tools, not primary platforms.
The reality is this.
You are not outsourcing responsibility. You are outsourcing infrastructure.
If you do not have clear visibility across access, storage, and usage, your data is not secure. It is just out of sight.
Lucien Wynn, CEO & Co-Founder, Joiin
As more businesses adopt cloud software and AI, questions around data security are moving beyond IT teams and becoming board-level discussions.
For finance leaders, the stakes are even higher. Financial data is sensitive, business-critical, and often spread across multiple systems, entities, and teams. Before adopting any cloud or AI platform, it’s important to understand how that data is protected and governed.
Reputable providers run on enterprise infrastructure like Amazon Web Services (AWS), with data encrypted in transit and stored in secure environments. Strong access controls, two-factor authentication, and role-based permissions should be standard.
Ownership matters too. Your data should remain yours: stored only as needed and fully deleted on request.
AI introduces another layer of consideration. Business leaders should ask every provider three simple questions: Is customer data used to train external AI models? Is it retained by third-party AI services? Does the AI respect existing user permissions? At Joiin, customer data is not used to train external AI models, is not retained by third-party AI providers, and AI responses always follow existing user permissions.
These are the kinds of questions worth asking before trusting any platform with business and financial data.
Charlie Wood, CEO, Wiise
The first question any business should ask is simple: who owns the data? If a cloud or AI provider cannot clearly state that your data remains your data, that’s an immediate red flag.
The second question is where the data actually lives. There is a major difference between a private tenant environment and a shared system where data may potentially be exposed to broader model training or logging processes. Businesses should ask vendors directly what happens after a prompt is entered. Is the data stored, logged, retained? Is it used to train future models? A trustworthy provider should be able to answer those questions clearly and transparently.
You also need to trust the underlying platform, not just the app. Enterprise-grade environments such as Microsoft Azure have very different compliance, governance and security capabilities baked in, compared to lightly governed consumer tools.
For businesses using AI alongside ERP systems, the stakes are even higher. ERP platforms are effectively the operating system of a business. If AI is interacting with financial, operational or customer data, security and integrity are not just optional but existential – fundamental to business continuity and trust.
Peter Waring, Chief Technology Officer, JAVLN
When businesses hear “cloud” or “AI”, one of the first questions is often: “Is my data actually safe?” It’s a fair concern, especially when sensitive client information is involved. But the reality is that modern cloud platforms are often far more secure than traditional on-site servers.
Think of it like storing important documents in a professionally monitored vault rather than a filing cabinet in the back office. Leading cloud providers invest billions into cybersecurity, including 24/7 threat monitoring, encryption, multi-factor authentication and automatic security updates. Most individual businesses simply can’t match that level of protection on their own.
The same principle applies to AI platforms. Businesses should choose technology partners that are transparent about how data is stored, protected and used. Look for providers with recognised security standards, clear compliance frameworks and strong access controls.
Ultimately, safe technology isn’t about where your data lives. It’s about who’s protecting it, how it’s monitored, and whether the platform was built for today’s security realities.
Michael Russell, Managing Director, Finwave Finance
The honest answer most SME owners do not want to hear is this: you probably do not know, and the platforms you are using are counting on that.
Most cloud and AI tools are safe enough for general use, but safe enough and actually safe are two different standards. The gap between them is where business risk lives.
Start with the basics. Read the data processing terms, not the privacy policy summary. Specifically look for three things: where your data is stored, whether your inputs are used to train models, and what happens to your data if you cancel the account. Many popular AI platforms default to using your content for model improvement unless you actively opt out, and that setting is rarely surfaced during onboarding.
The second question is access controls. Who inside your business can connect third-party tools to your systems? A staff member linking an AI tool to your CRM, email, or accounting platform without a documented approval process is a quiet liability that most SMEs discover too late.
The third is jurisdiction. Data stored offshore is subject to the laws of that country, not ours. That matters under the Australian Privacy Act, particularly if you hold customer information.
You do not need to be a tech expert. You need to ask better questions before you click connect.
Tushar Srivastava, Founder and CyberSecurity Advisor, AssessEasy
The short answer: you don’t. Not unless you’ve checked.
AI platforms get smarter by training on the data you give them. If you’re using free tools, your prompts—including client names, financial records, or strategy notes—can be used to train their models or shared with third parties. Most people don’t read the fine print. That’s fine. But you need a defensive mindset.
Here’s what actually works:
1. Never paste raw data into a public AI tool. Strip out client names, financials, and anything confidential.
2. Anonymise what you can. Use “Client 123” or “Project X” if the AI needs context.
3. Encrypt sensitive files before cloud storage. Most providers don’t do this for you by default.
4. Assume your data is leaking. Build that reflex. When you assume risk, you act differently.
These four steps take 10 minutes. They close the biggest gaps. And they work whether you read the privacy policy or not.
You don’t need to stop using AI or the cloud. You just need to use them with a plan.
Mukund Jha, Co-founder and Chief Executive Officer, Emergent
Ensuring that business data is safe and secure must begin at the fundamental level. When security is an afterthought it can never be as strong as security intentionally ingrained into these AI platforms. For founders, data is a company’s most valuable asset and platforms designed with a security-first mindset ensure that they can operate with confidence.
Access should be carefully and thoughtfully controlled, meaning that systems and tools only interact with the data needed to perform a given task at that moment. By limiting exposure to sensitive data at every step through robust permission configurations, any risk of misuse or overreach can be significantly reduced. This approach gives a founder peace of mind that their data isn’t available for hackers to exploit, and permission is still required for any external communication or data sharing.
Transparency is critical. The most effective platforms incorporate safeguards such as phishing detection and protection from malicious injection, ensuring that core security commands are untouched and the user’s data private when presented with complex tasks.
Through these measures, secure systems can empower founders to automate and scale their businesses without any worry of cyber assault.
Connor Linehan, Principal Consultant, Proxima Australia
According to our data, only 29% of Australian businesses have real-time visibility into the cyber risk of their critical suppliers. Just 48% conducted supplier cyber stress-tests in the past 12 months, despite cyber incidents affecting 38% of businesses through their supply chain in the past two years.
Your data is only as safe as your weakest supplier’s security posture.
What to do:
- Map critical data flows. Which suppliers touch sensitive data? Which platforms host it? Cloud and AI tools often involve multiple third parties, each a potential entry point. Ensure data loss prevention procedures are in place.
- Segment suppliers by risk. Tier vendors based on data sensitivity and business criticality. High-risk suppliers need deeper scrutiny.
- Request certifications and audit rights. SOC 2 Type 2, ISO 27001, regular penetration testing, these shouldn’t be negotiable for critical vendors.
- Build cyber into procurement. Assess security posture before contract signing. Strengthen contractual protections around data handling, exit clauses, and breach liability.
Monitor continuously. Annual assessments aren’t enough. Use tools that track threats, incidents, and vendor security changes in real-time.
Put simply, you need to be proactive. Supply chain cyber risk is business risk.
Justin Lester, Director, Market Enablement & Activation, Lexin Solutions
Data safety in the cloud age comes down to independent verification over vendor promises. You know your data is secure when a platform subjects itself to continuous, automated control monitoring rather than annual point-in-time checks.
Look for platforms that backup their claims with an independent SOC 2 Type II audit report, which proves their security controls work effectively over an extended period, not just on the day of an inspection. True data protection requires a strict architecture, and data must be encrypted both in transit and at rest. Access must be restricted using least-privilege protocols alongside Single Sign-On (SSO) and Multi-Factor Authentication (MFA), and every upstream vendor must be rigorously vetted for risk.
Security can’t be a static policy gathering dust on a server – it must be an active, operational framework where system configuration changes are continuously reviewed, and incident response plans are regularly tested.
In our experience managing complex systems, building trust requires total transparency. If a technology provider can’t instantly provide an independent audit report or clear documentation of their continuous compliance monitoring under a non-disclosure agreement, your data is at risk.
Muthukumar T, Partner, Befree
It’s a fair concern, and one more SMEs should be asking before they onboard a new tool, not after.
Cloud and AI platforms vary enormously in how seriously they treat your data. Here’s what to check:
Look for ISO 27001 certification: This is the global benchmark for information security management – independently audited, not self-declared. If a platform you’re trusting with financial data doesn’t hold it, ask why.
Read the data processing terms, not just the privacy policy: Specifically, where is your data stored, who can access it, and is it used to train AI models? Several AI platforms use customer data for model improvement by default. It’s usually opt-out, not opt-in.
Check for role-based access controls and audit trails: You should be able to see who accessed what and when. If a platform can’t tell you that, it’s not built for business-grade security.
Ask whether your data crosses borders: For Australian businesses, understanding where data is hosted and processed matters for Privacy Act compliance.
Data security isn’t a feature; it’s a baseline expectation. At Befree, it’s also how we’ve operated for over 20 years: ISO 27001 certified, GDPR compliant, and strict about who touches your data.
Dr Anna Harrison, Founder and CEO, RAMMP
You don’t know if your data is safe.
In March, an autonomous AI agent breached McKinsey’s internal AI platform in under two hours exposing 46.5 million chat messages, 728,000 files, and 57,000 user accounts. The vulnerability? SQL injection. A bug class documented since the 1990s. If a firm with McKinsey’s budget gets opened up by a 30-year-old exploit, the right question for every Australian small business is how much risk have I unknowingly accepted?
Every prompt you send to a US-headquartered AI tool such as Claude or ChatGPT is data leaving your jurisdiction. Under the US CLOUD Act, American authorities can compel US providers to produce data they hold regardless of where it’s stored.
These are theoretical risks. If you sell pies and cappuccinos, the productivity gains likely outweigh the exposure. If you handle defence, health, legal, or financial data, the calculus is different.
Three safeguards every business owner should put in place this week:
- Minimise the attack surface. Do you actually need a customer’s date of birth? Every field you store is a field you have to protect.
- Encrypt the sensitive stuff. No unencrypted passwords or card data in your database. Use services that do this for you such as Stripe and PayPal. Be cautious that the app you create using a vibecoding platform like Lovable is unlikely to have safeguards in place.
- If you’re in a sensitive supply chain, build a moat. Bring governed AI in, don’t push your data out. Australian platforms like ORCA Opti now make that possible even for smaller suppliers.
Before you plug another tool into your business, ask: if this provider was breached tomorrow, what would I leave exposed?
Kathryn Giudes, Managing Director, ORCA Opti
Can you answer yes to whether your data is safe? That is not a technology problem. It is a terms-of-service problem that most business leaders have not read closely enough.
More than one billion people worldwide now interact with consumer AI platforms monthly. The overwhelming majority operate under terms that permit their conversations to be used for model training, reviewed by third-party contractors, and retained for years. This is regardless of whether the user clicked ‘delete’. If your employees are using personal or reimbursed AI subscriptions for any work-related task, your corporate data is almost certainly already inside that pipeline.
Here’s what surprises most executives: paying more does not buy privacy. ChatGPT Plus, Claude Pro and Google AI Pro all operate under the same legal terms as their free equivalents for training and data retention. The premium subscription buys speed and features, not a privacy posture.
Enterprise agreements improve this materially, but they do not fully solve it. Your data still transits US infrastructure under US legal jurisdiction. Contractual exclusion from training does not override a lawful US government data request. And for organisations using any China-based AI services, the exposure is even more direct.
At ORCA Opti, we have built an AI Guardian, acting as a gatekeeper for sensitive data. By stripping out or sanitising private and sensitive information before it reaches commercial AI systems, and keeping all logging within your own environment. The only logging that occurs is within your organisation’s own tenancy, available for quality control, audit and compliance.
The businesses getting this right aren’t choosing between AI capability and data safety. They’re demanding both. Finding that the answer lies in how the platform is built, not what the contract says.
Billy Loizou, AVP & GM, APAC, Amperity
If you don’t know where your customer data lives, how it’s connected, and who can access it, it’s very difficult to know whether it’s truly secure.
The biggest challenge for most brands is fragmentation. Customer data often sits across CRM systems, loyalty platforms, ecommerce tools, POS systems, and digital channels, each with different permissions and levels of visibility. That creates operational complexity and increases risk.
The brands in the strongest position are moving toward a unified, governed customer data foundation. When customer records are connected into accurate, trusted real-time profiles, businesses gain clearer visibility into how data is collected, accessed, and used across the organisation.
That matters even more as AI becomes more embedded into marketing and customer experience. AI is only as trustworthy as the data underneath it. If customer context is fragmented or incomplete, AI can make the wrong decisions faster and at greater scale.
Governance also needs to be built into the architecture from the start, not layered on afterward. It’s about understanding what data can be collected, how consent is managed across systems and regions, and ensuring the right teams have the right access.
For brands operating across APAC, this becomes even more complex as privacy regulations continue to evolve market by market. The companies navigating this successfully are the ones building transparency and consent management directly into their customer data infrastructure.
Trusted customer context is becoming the foundation not only for better customer experiences, but for safer and more responsible AI adoption.
Sarah Richardson, CEO, Australian Loyalty Association
Data security is one of the most important questions any business leader should be asking right now. The honest answer is that trust needs to be earned through transparency – especially in loyalty.
When evaluating any cloud-based tool or AI platform, start by understanding where your data actually lives, who can access it, and whether it’s being used to train third-party models. These are important commercial and ethical questions that sit squarely with leadership.
Our research shows that more than 40 percent of consumers are already using AI tools to inform purchasing decisions. That means the data flowing through your loyalty and marketing platforms is increasingly sensitive – it reflects not just what customers buy, but how they behave, what motivates them and when they’re most vulnerable to switching. The stakes of a breach, or simply of misuse, are significant.
At the Australian Loyalty Association, our AI education series addresses exactly this kind of challenge – helping loyalty leaders and marketers understand not just how to deploy AI effectively, but how to do so responsibly, in ways that protect customer trust and meet the scrutiny of boards and regulators.
The businesses that get this right will be safer and more trusted, which in today’s environment, is a genuine competitive advantage.
Jonathan Reeve, Regional Director, ANZ, Eagle Eye
Security makes or breaks the reputation of a business — and nowhere is that more consequential than in retail loyalty. Loyalty programs are data ecosystems. Every transaction, every redemption, every personalised offer is built on a continuous flow of sensitive customer information. The retailers experiencing the strongest results are those connecting customer data across every touchpoint and acting on that data in real time. But that connectivity only creates value if the infrastructure — and the ethics — underpinning it are sound.
As AI capabilities become more widespread, modern retailers are investing heavily in strong data security measures to protect customer information from breaches and misuse. They’re communicating openly with customers about how their data is being used, providing clear opt-out mechanisms and giving customers greater control over their personal information.
There’s an upward trend of AI-powered agents sitting between the shopper and the checkout, making product selections and comparing prices in real time. Security has to be engineered to match that pace of activity. At Eagle Eye, our approach starts with the architecture itself. All information is stored on secure servers within the Google Cloud Platform and Network, with industry-standard firewalls and physical, electronic and procedural safeguards across everything we hold. Our platform handles real-time offer issuance and redemption at checkout with sub-250ms response times at peak load. That performance is only possible because the security layer is equally robust.
Businesses that build governance into their architecture from the start will be the ones customers trust with their data for the long term.
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.
